MS Teams deployment tool: Squirrel

I'm not a big fan of the brand new Squirrel QID 372014 and have questioned support #805475 with following concerns;

the QID is not marked “0 day”, despite there being no patch.

there is no CVE, so nothing to throw to the techs that might resolve this

the severity is a 4 despite the CVSS rating of only 4.3

Microsoft themselves have this to say; “The article discusses a post-exploitation technique. An attacker using this technique must already have access and the ability to run code on the target system. This technique does not allow for elevation of privilege or remote code execution in cases where the attacker does not already have that ability on the target system. We may deal with this as part of normal Teams Development but not as an urgent Security Update.”

Sadly, YET AGAIN, changes have been made to the signature without updating the change log. This is so frustrating in circumstances when we're trying to unpick a suspected false-positive.

This has then led to Qualys support not apparently realising that changes were made before they acted on Friday, and are now insinuating that i need reading glasses, through use of yellow marker pen on screenshots of the new CVSS. "Dear Support, this WAS a CVSS 4.3 and there was no mention of "Zero day" on Thursday. Trust me please."

Support have also ignored the paragraph from Microsoft too.

Since the new CVSS of 6.8 now matches the severity rating 4, could Qualys please explain why they now think it's of more risk, as since NIST returns blanks, this must be all your own doing? Before i edit the severity down, i want to understand the entire risk here, which Qualys believe is now more critical, despite Microsoft playing down.

This QID basically refers to a 'feature' linked to Living Off The Land Binaries and Scripts (and also Libraries). Both detected binaries are essential to keep your MS Teams updated. Interestingly there is a post on Internet demonstrating the usage of this 'feature' dating back to summer 2019. I wonder, what has changed recently to classify it as confirmed severity 4 vulnerability now.